Palo Alto Firewall: Remediation Integration

ExtraHop has partnered with Palo Alto Networks to create an integrated solution that enables you to automatically detect and remediate security threats in real time. This integration leverages the detection and open data stream capabilities of the ExtraHop Discover appliance to identify devices that are exhibiting unusual behavior and then send a list of IP addresses to the firewall to quarantine.

The firewall has long been a critical feature of the enterprise security program. It can detect intruders attempting to gain access to the network, and respond instantly to potential threats. However, it doesn't have visibility on the inside of the network, in the east-west corridor where adversaries move laterally, access credentials, escalate privileges, and ultimately exfiltrate valuable data.

That's where Reveal(x) comes in. By monitoring the network's internal traffic at scale and in real time, Reveal(x) is able to conduct advanced, predictive behavior analysis to detect when an attack is in progress. Reveal(x) is an out-of-band, passive approach, which allows it to conduct analysis at up to 100Gbps without impacting your network's performance. By integrating this powerful detection and investigation tool with the in-band stopping power of Palo Alto's Next-Generation Firewalls, SecOps teams can confidently automate responses to potentially devastating attacks.

Reveal(x) also integrates with Palo Alto's Panorama to push the scaling capability of this killer combo even further. Reveal(x) can send quarantine requests to Panorama and automatically push the updates to groups of managed firewalls instead of only a single firewall.

Here's a 2-Minute Video About How It Works

Setting Up the Integration

This integration requires configuration on the Palo Alto firewall to set up the address group and firewall policies, including the actions the firewall should take for the IP addresses sent from the Discover appliance. You can configure these settings through the firewall Web UI or programmatically through the Palo Alto API.

On the ExtraHop side, you must configure an ODS target for the firewall, upload this bundle to the Discover appliance, and add the specific detections or alerts you want to monitor to one or both of the triggers in the bundle.

The triggers extract device IP addresses from the alerts or detections that you specified, and then sends the IP addresses to the firewall through ODS. The address objects are created in the Palo Alto firewall, and then added to the pre-configured address group.

The bundle contains a status dashboard to display the blocked IP addresses, as well as the alerts and detections that generated the event.